Tag Archives: Linux

Installing and Managing Veeam Agent for Linux with Backup & Replication

With the release of Update 3 of Veeam Backup & Replication we introduced the ability to manage agent from within the console. This was for both our Windows and Linux agents and aimed to add increased levels of manageability and control when deploying agents in larger enterprise type environments. For an overview of the features there is a veeam.com blog post here that goes through the different components and the online help documentation is also helpful in providing an detailed look at the ins and outs.

Scouring the web, there has been a lot written about the Windows Agent and how that’s managed from the Backup & Replication console, but not a lot written about managing Linux Agents. There theory is exactly the same…Add a Protection Group, add the machines you want to include in the Protection Group, scan the group and then install the agent. From there you can add the agents to a new or existing backup job and manage licenses.

In terms of how that looks and the steps you need to take. Head to the Inventory menu section and right click on Physical & Cloud Infrastructure to Add Protection Group. Give the group a meaningful name and then to add Linux machines select Individual or CSV method under Type. In my example I chose to add the Linux machines individually and added then added the machines via their Host Name or IP Address with the right credentials.

Under Options, you can select the Distribution Server which is where the agent will be deployed from and choose to set a schedule to Rescan the Protection Group.

Once this part is complete the first Discovery is run and all things being equal the Linux Agent will be installed to the machines that where added as part of the first step. I actually ran into an issue upon first run where the agent didn’t install due to the following error shown below.

The fix was as simple as installing the DKMS package on the servers via apt-get. Asking around, this was not a normal occurrence and that it should deploy and install without issue. Maybe this was due to my Linux server being TurnKey Linux appliances…in any case, once the package was installed I re-triggered the install by right clicking the machine and selecting Install Agent.

Once that job has finished we are able to assign the Linux agent machines to new or existing backup jobs.

As with the Windows Agent you have two different Job modes. In my example I created a job of each type. The result is one agent that is in lock down mode meaning reduced functionality from the GUI or Command line while the other has more functionality but is still managed by the system administrator. The differences between both GUIs is shown below.

From the Jobs list under the Home menu this is represented by the job type being Linux Agent Backup vs Linux Agent Policy.

Finally, when looking at the licensing aspect, once a license has been applied to a Backup & Replication server that contains agent licenses, an additional view will appear under the License view in the console where you can assign or remove agent licenses from.

From within Enterprise Manager (if the VBR instance is managed), you also see additional tab views for the Windows and Linux Agents as shown below.

References:

https://helpcenter.veeam.com/docs/backup/agents/introduction.html?ver=95

https://helpcenter.veeam.com/docs/agentforlinux/userguide/license_vbr_revoke.html?ver=20

https://helpcenter.veeam.com/docs/backup/agents/agent_policy.html?ver=95

Quick Post – Configuring Key Based Authentication for AWS based Veeam Linux Repository

I’ve been doing a little more within AWS over the past month or so related to my work with VMware Cloud on AWS and the setting up of EC2 instances to use as Veeam Linux Repositories. When deploying a linux based instance in AWS you set a key pair to the instance at the time of deployment. You then download the private key pem file and use that to remotely connect to the instance when desired.

In my testing, I wanted to configure this EC2 instance as a Linux Repository. When creating a new repository you need to set up the Linux server with the key pair. To do this you need to select the Add Linux Private Key drop down in the new Linux Server window.

Next you need to enter the username of the EC2 instance which in this case is centos (best practice here is to create a new repository user and elevate to root but for my testing using the provided) and then load up the pem file that contains the private key. You don’t need to enter in a Passphrase.

The check box to Elevate specified account to root is also selected. Accept the server thumbprint as shown below.

Once accepted the Veeam Linux components will be installed and all things being equal you will have a Veeam Linux based repository ready for action that lives remotely on an EC2 instance.

Once complete you can tag the location against the repository and now use it as a backup target.

So there you go, a quick post on how to get an EC2 Linux instance up and running in Veeam Backup & Replication as a Linux Repository.

Quick Look: Veeam Agent for Linux 2.0 – Now With Cloud Connect

Just over a year ago Veeam Agent for Linux version 1.0 was released and for me still represents an important milestone for Veeam. During various presentations over the last twelve months I have talked about the fact that Linux backups haven’t really changed for twenty or so years and that the tried and trusted method for backing up Linux systems was solid…yet antiquated. For me, the GitLab backup disaster in Feburary highlighted this fact and the Veeam Agent for Linux takes Linux backups out of the legacy and into the now.

Yesterday, Veeam Agent for Linux 2.0 (Build 2.0.0.400) was released and with it came a number of new features and enhancements improving on the v1.1 build released in May. Most important for me is the ability to now backup straight to a Cloud Connect Repository.

Integration with Veeam Cloud Connect provides the following options:

  • Back up directly to a cloud repository: Veeam Agent for Linux provides a fully integrated, fast and secure way to ship backup files directly to a Cloud Connect repository hosted by one of the many Veeam-powered service providers.
  • Granular recovery from a cloud repository: Volume and file-level recovery can be performed directly from a backup stored within the cloud repository, without having to pull the entire backup on-premises first.
  • Bare-metal recovery from a cloud repository: The updated Veeam Recovery Media allows you to connect to your service provider, select the required restore point from the cloud repository and restore your entire computer to the same or different hardware.
Configuration Overview:

To install, you need to download the relevant Linux Packages from here. For my example below, I’m installing on an Ubuntu machine but we do support a number of popular Linux Distros as explained here.

Once installed you want to apply a Server License to allow backing up to Cloud Connect Repositories.

Before configuring a new job through the Agent for Linux Menu you can add Cloud Providers via the agent CLI. There are a number of cli menu options as shown below.

From here, you can use the cli to configure a new Backup Job but i’ve shown the process though the Agent UI. If you preconfigure the Service Provider with the cli once you select Veeam Cloud Connect Repository you don’t need to enter in the details again.

Once done and the job has run you will see that we have the backup going direct to the Cloud Connect Repository!

From the cli you can also get a quick overview of the job status.

Wrap Up:

I’ve been waiting for this feature for a long time and with the amount of Linux server instances (both physical and virtual) that exist today across on-premises, partner hosts IaaS platforms, or hyper-scale clouds, I hope that Veeam Cloud & Service Providers really hone in on the opportunity that exists with this new feature.

For more on What’s New in 2.0 of Veeam Agent for Linux you click here.

References:

https://www.veeam.com/veeam_agent_linux_2_0_whats_new_wn.pdf

Service Providers Be Aware: Samba Vulnerability is out there! SambaCry

Having worked in and around the service provider space for most of my career when I heard about the Linux variant of WannaCry, SambaCry last week, I thought to myself that it had the potential to be fairly impactful given there would be significant numbers of systems that use Samba for file services in the wild. In fact this post from GuardiCore puts the number at approximately 110,000 and I know that a lot of the storage appliances I use for my labs have Samba services that are exposed to the exploit.

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.

This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

The flaw can be exploited with just a few lines of code, requiring no interaction on the part of the end user. All versions of Samba from 3.5 onwards are vulnerable.

It’s worth reading the GuardiCore post in detail as it lists the differences between WannaCry and SambaCry and why potentially the linux exploit has more potential for damage due to the fact it targets weak passwords that allow lateral movement. They have written an NMAP script to easily detect vulnerable Samba servers.

Apart from upgrading to the lastest builds there is a workaround in place…If your Samba server is vulnerable and patching or upgrading is not an option, add the following line to the Samba configuration file (smb.conf):

nt pipe support = no

Then restart the network’s SMB daemon (smbd)

Pretty simple workaround to stop systems potentially being impacted. Again to service providers out there, if you haven’t already done so, put out an advisory to your tenant’s to ensure they upgrade or put in the workaround! Also for all those homelab users out there, as Anton Gostev pointed out in his weekly Veeam Forum Digest, older NAS devices and even routers might be impacted and those are the type of devices that won’t get updates and generally those are the devices that hold valuable personal information…so again make sure everything is checked and the workaround put into play.

References:

https://www.samba.org/samba/history/security.html

https://twitter.com/hashtag/sambacry?f=tweets&vertical=default

 

Veeam Update: Community Podcast from VeeamOn London + Agent for Linux

A couple of weeks ago I was lucky enough to be in London attending the Veeam Vanguard Symposium organised and hosted by the Veeam Evangelist Team headed by Rick Vanover. The week was book-ended by the VeeamOn Forum at which I was invited to be part of a panel with other Vanguards hosted by Rick. The discussion was varied and the panel discussed a number of topics relating to backups, cloud, certification and all things Veeam covering multiple technologies ranging from VMware, Microsoft to Hyper-Scale clouds and certifications.

The session was recorded and is now available as a podcast which is embedded below.

Thanks to @Cragdoo @DaveKawula @SuperCristal1@Lost_Signal for making the panel fun and engaging.

Veeam Agent for Linux:

Big news also this week with Veeam releasing the eagerly anticipated public beta for their Linux backup product. This was first announced at VeeamOn in Las Vegas last year and the Vanguards got the low down on the product during the London week..including information about the change of name from Endpoint to Agent. It’s exciting for Veeam to have this as an offering as it acts to complete their existing product set to include native physical or virtual Linux platforms.

Veeam Agent for Linux is a solution that is able to perform image-based backups from inside the guest, both at the file level and the volume level. True incremental backup is enabled by Veeam’s proprietary CBT (change block tracking) driver, a dynamically loadable kernel module

I literally just downloaded and installed in the last five minutes and already have it running on one of my Lab Ubuntu VMs. There are some great applications of this agent when you think about futures around extending the backup repository out to Cloud Connect Backup endpoints. You can’t backup to a Veeam Backup & Repository Server just yet in this beta.

For more information head to the Veeam Blog Post here. And head here to join the public beta.

References:

https://www.veeam.com/blog/veeam-backup-for-linux-beta-is-available.html

https://go.veeam.com/linux

#VeeamON 2015: Announced: Veeam Endpoint Backup Free…for LINUX!

Today during the VeeamOn Keynote, one of the big announcements was that Veeam would be releasing a new Endpoint Backup product that extends support to Linux based physical (or Virtual) machines. This follows up from last years announcement of the Windows version which has been downloaded approximately 200,000 times since release proving that there is a serious thirst from IT pros and their respective companies to have a simple product that backups standalone physical machines…the only thing missing was Linux support.

http://www.veeam.com/endpoint-backup-free.html

The Veeam Vanguards where given a first look at the new edition at the Vanguard Day on the Monday and we got given a exclusive run down of the new features before they where announced at this afternoons keynote.

Veeam EndPoint Backup for Linux Features and Highlights*:

  • It’s FREE and will always be FREE
  • Agent based solution
  • Uses a built in Change Block Tracking engine
  • Supports Debian and Redhat Linux distributions initially (Ubuntu/CentOS)
  • Used a Native Linux Control Widget for Configuration and Monitoring of jobs
  • Has a seperate set of CLI commands to configure/modify jobs
  • Uses SQLite

At the moment, similar to the iniital release of the Windows version it will only support the following as backup targets

  • Local (internal) storage of the protected endpoint (not recommended).
  • Direct attached storage (DAS), such as USB, eSATA or Firewire external drives. • Network Attached Storage (NAS) able to represent itself as SMB (CIFS) share.
  • Veeam Backup & Replication 9.0 or later backup repository.

No Cloud Connect support yet, but hopefully that will come along in future updates.

Veeam EndPoint Backup for Linux will be available in the first half of 2016 and there will be a limited beta release program with details here.

*  Features subject to confirmation once officially announced

 

How To: DELL DSET Report Tool Live CD and Linux VLAN Config

Here is a quick post on generating support logs for DELL cases if you are running VMware ESX(i) on any of the DELL server hardware. I had a CPU alert appear in my vSphere Hardware status and raised a support ticket with DELL. Previously I’ve had to wrestle with the config/setup of the DSET tool on ESX(i) and even had it cause a boot up failures due to a comparability bug.

The Dell tech send me the link below which is a CENTOS LiveCD which can be downloaded and booted up on the server in question.

http://linux.dell.com/files/openmanage-contributions/omsa-70-live/

Once downloaded and attached via the iDRAC Virtual Media Manager you will automatically go through to the desktop where you can double click on the DSET Tool Icon. Let it do it’s thing and gather all the relevant info which is then packaged into a zip file under \tmp\data\

Ok, so now that you have the file…how do you get it off the LiveCD instance? The answer would be simple if you had interfaces configured with DHCP, but the majority of these servers are configured with NICs on VLAN enabled ports which are not easily switched over or able to be reconfigured without going through change management etc etc.

The Network Configuration GUI in CENTOS doesn’t have the ability to configure VLAN tagging on the interfaces so you need to jump into the shell and manually configure the network settings as shown below.

Create a new config file for eth0 and configure it as shown below…key here is to take note of the MAC Address, no include and IP or Subnet details and I disabled IPv6.

Once saved, copy that file and save to ifcfg-eth0.x where is is the VLAN you want the interface to communicate in. This time you are adding relevent IP info along with specifying the device name as eth0.x and VLAN=yes which obviously enabled the VLAN tag config.

Fire up the new interfaces and restart network and you have a VLAN enabled connection that you can now grab the DSET zip file off and send to DELL for analysis.

As a side note, being the good VMware fanboy that I am, I used my Octopus Beta service to upload the file and make it available via the Octopus URL for sharing…because getting access to the Horizon Suite BETA is currently near on impossible 🙂